News Insights: White House Releases New National Cyber Policy

Today, the White House released a new national cyber policy

News Insights:

“This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader. The pillars build on existing ideas and cyber principles – defend critical infrastructure, support the nation’s collective defense, and embrace secure by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers.

The real test will come in the pronouncements that follow.  A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming.  How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.”

Craig Burland, CISO, Inversion6

“The report emphasizes modernizing federal security, a crucial part of this must be accelerating the government’s ability to onboard modern and next generation security technologies. Government agencies must be able to efficiently test technologies in dynamic environments that mirror, in both scale and complexity, the environment they will be expected to defend. They also would benefit from moving validated security solutions to the front of the line and accelerating mandatory audit timelines. In the end, when the federal government gains access to advanced security solutions more quickly, they can force attackers to rapidly adapt to try and keep pace.
Technology will also be critical for improving the ‘speed and scale’ of threat intelligence sharing that the report calls for. Threat intelligence is vital but it is vast and only growing – organizations need technology which cuts through the intelligence and identifies how a particular vulnerability impacts their unique environment and they need that information fast. Distilling that information and translating it into a strategy based on bespoke organizational risk is a job for technology – we can’t put the onus on humans anymore, and they need to be freed up for strategy and remediation.

It is positive to see the new strategy emphasizes the importance of mandating ‘security by design’ as well as the focus on robust technologies and the creation of a better cyber workforce.

As we look towards a future where a hybrid human-AI approach to cyber is absolutely necessary, the pursuit to meet a stronger, more robust, and better enabled cyber workforce must be executed with innovative and accessible programs that are both growing and investing in the next generation of security practitioners and augmenting them to get further faster and increase workload efficiency and accelerate response times.”

By Marcus Fowler, CEO Darktrace Federal

“Would you consent to undergoing a surgical procedure performed by a newly graduated individual who possesses exceptional proficiency in performing surgeries on cats? Furthermore, why would you entrust the same individual with the task of developing software for your pacemaker? While the answer to the former question will be negative, as a society, we permit the latter to occur. The IT industry has demonstrated remarkable adeptness in evading warranties on their products and offering them for sale ‘as is.’ This apparent lack of accountability is unprecedented in other industries, such as healthcare and construction.”
Szilveszter Szebeni – CISO at Tresorit

“If we’ve learned nothing else, it’s that the stick of penalties has failed, and now the Federal government is going to offer carrots, something I’ve long believed will be more effective. The National Cybersecurity Strategy’s biggest impact – if it can achieve its stated goals – will be to shift corporate mindsets in the US from “security means penalties” to “security means attaining rewards.” Looking beyond critical infrastructure, the Strategy notes that regulators are encouraged to incentives cybersecurity through rate-making processes, tax structures, or other mechanisms. We need to reward robust while penalizing inferior security. If the Strategy can effectively shift this mentality, then businesses can view cybersecurity as a tangible revenue-enabler listed on their balance sheets rather than merely an amorphous cost savings.”

Karen Walsh – Cyber Security Compliance Expert and CEO at Allegro Solutions